[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Smartcard logon using Heimdal KDC
Are you doing it in accordance with
draft-ietf-krb-wg-kerberos-sam-02? That's how SecureID and
CRYPTOcard are currently supported and the MIT 1.3.1 client supports
What kind of smart card are you trying to support?
At 1:41 PM +0100 1/26/04, Prágai Róbert wrote:
> I try to arrange an environment, where users can logon to a
>Kerberos realm from Windows 2000 workstations via smartcard logon.
> I've already reached a point where normal password logon works
>from Windows workstations to the Kerberos realm, and the smartcard
>logon works from the Windows workstations to the Windows domain.
> However when I tested the smartcard logon from a Windows
>workstation to the Heimdal KDC, the workstation initiated a normal
>password logon to the Unix KDC instead of smartcard logon according
>to the network traffic. I initiated a logon using the smartcard
>logon process, typed the PIN but the network flow between the
>workstation and the Unix KDC was similar to the normal password
> Does anyone have enough experience with wiht Windows PKINIT to
>answer whether it is the intentional working mechanism of the
>Windows 2000 workstations that it initiates a normal password logon
>to Unix KDC's? If it is intentional, however what part of the
>security system is responsible for it: the GINA, the LSA, ths SSP,
>maybe the corresponding CSP or other? What should I change in the
>system to make this environment work?
> All comments are welcome.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or email@example.com